Description

As I deliver training to ExtraHop customers, I regularly see the same DNS queries causing errors.

Many of these DNS errors are 'check box fixes'. The hard part is finding the misconfigured device(s) in your network. That's where ExtraHop's AI Triggers and Application Containers come to the rescue.

Attached is an ExtraHop Bundle that takes specific DNS queries and ties them back to the clients making the query.

Out of the box this bundle looks for four known 'problem' DNS queries:

DNS-SD -- this is not regular DNS but related to Bonjour and usually represents unnecessary traffic on your network,

isatap -- this is IPv6 over IPv4 tunneling, if you are an IPv4 only shop, this is probably unnecessary traffic on your network, you may be able to turn this off, enabled by default on Win7 and Server2008,

wpad -- this is Web Proxy Auto Discovery, configure a wpad host on your network or turn this off, all major browsers support wpad, this can present a security risk if left enabled and unconfigured,

reverse DNS -- like the name suggests, this converts IP addresses into hostnames, reverse DNS is often 'broken' or is fine on some subnets but broken for other subnets.

Installation Instructions

Download the attached bundle. Note: Bundles were introduced in version 3.7.

Upload and apply the bundle to your ExtraHop. Click Settings then Bundles then Upload. Select the bundle. Click Apply. You should see a Bundle Import Status dialog similar to the following:

Assign the trigger 'DNS Query to Hostname' (part of the bundle) to a device or group of devices.For example, to assign the trigger to all devices in the 10.10.6.0/24 subnet, use the following criteria for a dynamic group:

ip address = /^10\.10\.6\./

The trigger in the bundle creates an Application Container called 'Problem DNS Queries'. Wait a couple of minutes for ExtraHop to populate the Application Container.

Click Applications, then click Problem DNS Queries. You should 4 entries in the tree control:

DNS-SD Queries,

IN-ADDR.ARPA Queries,

ISATAP Queries, and

WPAD Queries.

Each of the 4 above-listed pages will show the rate for each query and the absolute count of that query over a given time window.Note, the rate and count are for the number of queries, not the error rate.To see the clients making the query, click on the rate graph.

If you want, you can modify the trigger 'DNS Query to Hostname' (part of the bundle) to look for DNS queries specific to your environment.

Community discussion about this bundle

ExtraHop uses cookies to improve your online experience. By using this website, you consent to the use of cookies. Learn More